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(54) Digital signature generating/verifying method and system using pubHc key encryption 



(57) A digital signature generating^erifying method 

using a public key encryption scheme which ensures 
high security, reduction in length of the digital signature 
and independency ot the length of the digital signature 
on that the order of a base point. In generating a digital 
signature, a first hash value (e) satisfying a condition 
that e = H(M) is determined for a given message (M) by 
using a hash function (H). a numerical value (x) is 
obtained from translation of a random nunrber, a hash 
value (r) satisfying a condition that r h(x) is determined 
by using a hash function (h) whose output value is 
shorter than that of the first hash function (H), and the 
digital signature is generated by using the hash values 
(e) and (r) as determined. For verification of an inputted - 
digital signature, the hash value (e) satisfying the condi- 
tion that e £ H(M) is determined, and for a numerical 
value (x) obtained from arithmetic operation of a public 
key (Q). a oase point (P) and the inputted digital signa- 
ture (r. s), a hash value (r') satisfying a condition that r' 
= h(x) on the basis of the hash value (e), the digital sig- 
nature (r, s). the base point (P) and the public key (Q) t3y 
using a hash function (h) whose output value is shorter 
tnan that of the first hash function (H). The hash value 
(r ) IS then compared with a tally (r) of the inputted digital 
signature to thereby verify the inputted digital signature. 
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Description 

BACKGROUND OF THE INVENTION 

The present invention relates to a method and a system for generating and/or verifying a digital signature by using 
a public key encryption method tor securing the security in a computer networte 

The digital signature technology for imparting electric documents or the Bketer electronic comments or transactions 
vwth a twiction equivalent to that of a conventional seal (harto in Japanese) promises high efficiency utilization of com- 
puter-networi^ system. However, with the conventional electronic mail encryption technology (also known as Privacy 
Enhanced Mail or PEM In abbreviation), it is impossUe to process more than one digital signature for a single 
enhanced mail. In this conjunction, in the electronic commerce fields, it is expected in the not-so-distant future that the 
electronic document such as message and the iks.affixed with a number of digital signatures including not only the dig- 
ital signature of a purchaser but also those of a distributee, salesman and/br monetary business-man will be handled. 
Under the circumstances, there arises a demand for the multiple digital signature technology whk:h allows the electronic 
documents affixed vnth a plurality of digital signatures to be processed. In this cofijunction. it is noted that a person 
received an electronic document affixed with a plurality of digital signati^es will be forced to verify the authenticity of 
plural or N digital signatures written by other persons before writing or generating his or her own single digital signature. 
Thus, in order to enhance the availability of the digital signature facility in the computer networic system, it will be 
required to increase the speed for verificatnn of the plural (N) digital signatures. Besides, it Is conceivable that in the 
electronic commerces, there is a possibility that comments may be added by a plurality of persons in the course of 
processing the electronic document 

For having better understanding of the inventioa description wilt first be made in some detail of the technical back- 
ground of the invention. As a typical one of the digital signature techniques known heretofore, there may be mentioned 
the pui9lic-key cryptography elliptic curve system disclosed in J. Kbetier. A. J. Menezes. M. Qu and S. A. Vanstone: 
"Standard for RSA. Oiffie-Hellman and Related Pubiic*KBy Cryptography Elliptic Curve Systems (Draft 8}" in "IEEE 
P1363 Standard" published by the IEEE. May 3. 1996 and May 14. 1996. respectively. 

Figure 9 is a schematic diagram showing generally a configuration of a computer networic system in which the tech- 
niques disclosed in the at)ove-mentioned literatures are adopted. 

Referring to Fig. 9. there are connected to a networic 1001 a system manager's computer 1002. a user A's compu- 
ter 1003 and a user B's computer 1004 for mutual communication. 

Operations of the individual units shown in Fig. 9 will be descrbed below. 

System Setup 

The system manager's computer 1002 is In charge of generating an elliptic curve (E) 1006. Sibsequently. a base 
point (also referred to as the system key) (P) 1007 of the order (n) 1008 is generated and registered in a putdic file 1005. 

KeyQengratipn 

A key generating function module 1011 incorporated in the user A*s computer 1003 is designed to execute the 
processing steps which will be mentioned below. 

Step 1 : In an interval [2, n • 2]. an integer dA is selected at random as a private key. 
Step 2: A key Q^. is computed in accordance with e dAP. 

Step 3: The key (Qa) 1015 is opened to the public as the pubOc key. More specHlcally. the public key (Qa) 1015 is 
transmitted together with the identifier name of the user A to the system manager's computer 1002 via the 
networic 1 001 , whereon the identifier name of the user A is written in the p\Mc file 1 005 at a column 1 009 
for the user A*s name with the value of the public key (Qa) 1015 being written In a column 1010 for the public 
key Qa- 

Step 4: In the user A's computer 1003. the value of the private key {d^ 1014 is held as the private key of the user A. 

Digital Signature Generation Process 

A digital signature generating function module 1 033 incorporated in the user A*s computer 1003 is designed to exe- 
cute the processing steps mentioned below. 

Step 1 : Message (M) 1016 is received. 

Step 2: Hash value e « H(M) is computed by using a hash function (H) 1 028. 
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Step 3: Random nimtoBt |s is selected from the interval [2. n * q using a random number generation function 
1029. 

Step 4: Point kP « (x. y) is computed by a soKSfled -scalar multipiication on elliptic curve 1030. 
Step 5: A first tally £ given by r « x ♦ e (mod n) is detemfined in accordance with the modular computation "r « x + 
e (mod n)- 1031. 

Step 6: A private toy (d^ 1017 is inputted to modular computation process "s - Ic - dAr (mod n)" 1032 tor thereby 
determining a second tally a (• k - dAr (mod n)). 

Step 7: A message M 1016 and the digital signature (r, s) 1019 are sent to the user B's computer 1004 via the net- 
work 1001. 

As the parameters required for the computations performed by the digital signature generating function module 
1033, the elliptic cun^e (E) 1006. the base point which nwy also be reten'ed to system toy (P) 1007 and the order (n) 
1008 registered in the public fSe 1005 hekJ by the system manager's computer 1002 are referenced. 

Digital Signat ure Verification Process 

A digital signature verifyirig function module 1023 incorporated in the user B's computer 1004 is designed to exe- 
cute the processing steps mentioned below. 

Step 1 : The user A's public toy (Qa) 1010 is fetched from the piiblic fDe 1005 held by the system manager s com- 
puter 1002 to be set as a piiilic key (Qa) 1020. AddHionaliy. the base point (system toy) (P) 1007 is fetched 
from the public file 1005 held by the system manager^ computer 1002 to be set as the base point (P) 
1007B. Furthermore, the digital signature (r, s) 1019 sent from the user A's computer 1003 is received to be 
set asa digital signature (r, s) 1021 . Besides, the message (M) 1016 sent from the user A's computer 1003 
is received to be set as a message (M) 1022. 

Step 2: The base point or system key (P) 1007B. the pubiic toy (Qa) 1020, the digital signature (r. s) 1021 are input- 
ted to the process "scalar muHiplicalion on ellptic curve (E)** and "addition* 1024 to thereby carry out the 
catenation "(x. y) osP -i- tQa". 

Step 3: The message M 1 022 is inputted into the hash function H 1 025 to thereby compute the hash value e - H(M). 
Step 4: Through the computation process Y a x e (mod n)' 1026, a first tally T » x e (mod n)" is determined. 
Step 5: When the decision "r e r* ?" 1 027 results in r « r' or YES. data "authenticated" is outputted. and if othenwise. 
"not authenticated" is oulputted. 

As the parameters required for the computations performed by the digital signature verifying function nrKxlule 1 023. 
the elliptic curve (E) 1 006. the base point or system key (P) 1 007 and the order (n) 1008 as registered In the public file 
1005 held by the system manager's computer 1002 are referenced. 

Through the processes described above, the digital signature (r, s) functions as an electronic seal (i.e., seal or 
"hanko" impressed electronically by the user A tor the message M. To say in another way, the user B can hold the set 
of the message M and the digital signature (r. s) as the evktence indicating that the message M is issued by the user A. 
Further, although the user B can recognize the authenticity of the set of the message M and the digital signature (r. s). 
the user B can not originally generate the set of the message M and the digital signature (r. s). For this reason, the user 
A can not negate later on the fact that the digital signature (r s) has been generated by the user A. 

However, the conventional system described above suffers the problems which will be elucidated below. 

(1 ) insufficient Proof tor Security 

In general, generation of a digital signature by a person having no private key provides a problem. If otherwise, 
the authenticity of the digital signature can not be ensured, degrading the creditabQity of the electronic commerce 
and renoering it impracticai. 

in the conventional system described above, it is required to provide that such tally combination (r. s) can not 
be generated which allows the output "authenticated* to be generated in the course of the digital signature verifica- 
tion processing without knowing the private key d^ However, the conventional system provides no proof to this end. 
Parenthetically, it should be mentioned that the problem mentioned above has been pointed out in conjunction witii 
EIGamal signature technology on which the conventional system described above is based. 

(2) Long bit length of the digital signature 

Now. assuming that relevant parameters have respective bit lengths as tollows: 

(a) The bit length representing the order q of the base point P is /„ hits (e.g. 160 bits). 

(b) The bit length representing the output of the hash function H is bits (e.g. 1 60 bits). 
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(C) The bit length of the private key cIa 15 <d bits (e.Q. 160 bits). 

The output value of the hash function H given by of 160 bits is considered as being necessary in view of the 
fact that the hash function H has a coQision-free property. In this conjunction, it is oontemplatad with the phrase "col- 

5 iision-free property" to niean that cfiff iciity is encoirtered in finding two cfifferent input values which result in a same 
output value in view of the computational overhead. By way of oxanple. in the case where the output value of a 
hash function H is 1 60 bits, it wSI be possUe to find two dfferent input values which results in a same output value 
by carrying out an attack method known as •Paradoc of Birthd^ a number of times on the order of 2^ on an aver- 
age, which is however difficult in viMv of the computational overhead. 

w Further, the bit length of 160 bits Ibr the order o of the base point (system k^) is consWered as being neces- 

sary because of difficufty of solving the cfisaete logarithm problem relevant to the addition on the elliptic curve. 

In this case, when the length of the tally i of the digital signature (r. s) is of Ai bits with the length of the tally § 
being of /„ bits, then the total bit number amounts to (Ai AO bits (ag. 320 bits). 

(3) The length of the digital signature is determined in dependence on the length of the parameter o of the elliptic 
75 curve. Consequentiy. when the length of the parameter n is increased Ibr ensuring the security of the digital stgna- 
tire more positively in the futura the length of the digital signature increases correspondingly Parenthetically, in 
conjunction with RSA and EES. it is noted that the length of the parameter q is unavoidably increased because of 
enhancement of the decryptnn method and the computer perfbmnance promoted as a function of the time lapse. 
Same will apply equally to the elliptical encryption in the future. To say in another way. it is expected that the length 
20 of the parameter n will necessarily increase as the decryption technology and the computer performance are 
enhanced as a furiction of time lapsa Such being the circumstances, it is desirable in conjunction with the elliptic 
encryption to realize the dUgM signahjre which does not depend on the length of the order n of the base point or 
system key R 

25 SUMMARY OF THE INVENTION 

In the light of the state of the art described abova It is an object of the present invention to provkje a digital signa- 
ture generating and/or verifying method and system using a public key encryptk>n scheme with high security as well as 
a recording medium for storing a program for canying out the method. 

Another object of the present invention is to prevkle a digital signature generating and/or verifying method and sys- 
30 tern using a public key encryption scheme, which allows the bit length of the digital signature to be shortened, and a 
recording medium for storing a program realizing the same. 

Yet another object of the present invention is to provide a digital signature generating/verifying method and system 
which are based on the use of a public key encryption method in which the length of the digital signature is made to be 
Independent of the length of the order of the base point, and a recording medium employed for storing a program real- 
35 izing the same. 

in view of the above and other objects which will become apparent as the description proceeds, there is provided 
according to a first generic aspect of the present inver^n a digital signature generating^rifying method of generating 
and/or verifying a digital signature authenticating electronically a signature affixed to a given document or message (M) 
by resorting to a public key encryption scheme. The digital signature generatingA^erifying method includes processing 

40 steps of determining for the given document or message (M) a hash value (e) satisfying a condition that e » H(M) by 
using a hash function (H). and determining for a numerical value (x) derived from translation of a random number a hash 
value (r) satisfying a condition that r s h(x) by using a hash function (h) whose output value is shorter than that of the 
first-mentioned hash function (H). 

Further, according to another general aspect of the present invention, there is provided a digital signature generat- 

<f ing and/or verifying method of generating or verifying a multiple digital signature authenticating electronically signatures 
affixed to document such as messages and/or comments (M;) as created and/or added sequentially by N users i (where 
i = "! N) by using a public key encryption scheme. The digital signature generating^erifying method includes the 
steps of (a) determining for a given one of the messages (M^) a hash value {ej satisfying a condition that e; » H(Mj) by 
using a hash function (H), (b) determining for a numerical value (x{j obtained from translation o1 a random number a 

5c hash value (r,) satisfying a condition that Tj « h(Xi) by using a hash function (h) whose output value is shorter than that 
of the first-mentioned hash function (H) and (c) executing the above-mentioned steps (a) and (b) for each of the users 
i (where i = 1 N). 

According to another general aspect of the present invention, there is provided a digital signature generating/veri- 
fying system tor generating a digital signature authenticating electronically a sigrmture affixed to a given message (M) 
ff by resorting to a public key encryption scheme. The digital signature generating/verifying system is composed of a 
processing unit for determining for the message (M) a hash value (e) satisfying a condition that e « H(M) by using a 
hash function (H), a processing unit or nrvxlule for determining for a numerical value (x) ofcrtained from translation of a 
random number a hash value (r) satisfying a condition that r = h(x) by using a hash function (h) whose output value is 
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shorter thar) that of the hash function (H). 

Furthermore, according to another general aspect of the present invention, there is provided a digital signature 
generating and/or verifying system for generating and/a verifying a multiple digital signature authenticating electroni- 
cally signatures affixed to document auch as messages andter comments m as created andtor added sequentially by 

N users i (where i - 1 N) by resorting to the use of a public key encryption scheme, wherein the digital signature 

generatirigArerifying system includes a nwdule tor detennining far a given one of the massages (MJ a hash value (ej) 
satisfying a condition that Sj - H(Mi) by using a hash function (H)..a module for detemining for a numerical value (jq) 
derived from translation of a random number a hash value (r,) satisfying a condition that n « h(Xi) tv Using a hash func- 
tion (h) virhose output value is shorter than that of the first-mentioned hash function (H), and a module for validating the 
above-mentioned modules for each of the users i (where i * 1 N). 

The above and other objects, features and attendant advantages of the present invention will more easily be under- 
stood by reading the following description of the preterred embodiments thereof taken, only by way of example, in con- 
junction with the accornpariying diawirigs. 

BRIEF DESCRIPTION OF THE DRAWINGS 

In the course of the description which follows, reference is made to the drawings, in which: 

Fig. 1 Is a schematic block diagram showing generally a system configuratfon according to an exemplary embodi- 
ment of the present invention; 

Fig. 2A is a blockdagram showing a system configuration of a sin|^ digital signature generating/verifying unit exe- 
cuted by a user A's personal computer shown in Fig. 1 ; 

Fig. 2B Is a flow chart for Illustrating a processing involved in the single digital signature generation algorithm exe- 
cuted by the user A's personal computer in conjunction with the system shcMfn in Rg. 1 ; 
Fig. 3 is a flow chart for illustrating a processing lor a single digital signature verification processing or algorithm 
executed by a user B's personal computer in the system shMn in Fig. 1 ; 

Fig. 4 Is a flow chart for Illustrating a processing for a diple digital signature generation processing or algorithm 
executed by the user B*s personal computer in the system shown in Fig. 1 ; 

Fig. 5 is a flow chart for illustrating a processing for a duple digital signature verificatfon processing or algorithm 
executed by a user Cs personal computer in the system shown in Fig. 1 ; 

Fig. 6 Is a block diagram showing a computer networtc configuratfon according to another embodiment of the inven- 
tion; 

Fig. 7 is a flow chart for illustrating a processing for a triple digital signature generation algorithm executed by the 
user C's personal computer shown in Fig. 6; 

Fig . 8 Is a flow chart for Illustrating a processing for a tr^le cfigital signature verification algorithm executed by a user 
D's personal computer in the system shown in Fig. 6; and 

Fig. 9 is a schematic diagrEmn showing generally a configuration of a conventional computer network system 
designed for transferring electronic documents affixed with digital signatures known heretofore. 

DESCRIPTION OF THE PREFERRED EMBODIMENTS 

Now. the present invention will be described in detail in conjunction with what is presently considered as preferred 
or typical embodiments thereof by reference to the drawings. In the following description, like reference characters des- 
ignate like or corresponding parts throughout the several views. Also in the following description, it is to be understood 
that such terms as "documenT. "comment", "message" and the like are words of convenience and are not to be con- 
strued as limiting tenns: 

Figure 1 is a schematic t/iock diagram showing generally a system configuration according to an exemplary embod- 
iment of the invention. Referring to the figure, there are connected to a network 101 . a user A's personal computer 102. 
a user B's personal computer 1 03 and a user C's personal computer 1 04. In the user A's personal computer 102. a user 
A's signature (r^ . s^ ) 1 1 1 is generated for a user A's created docum«it (M^) 1 1 0 by using a base point which may also 
be referred to as the system key (P) 1 1 7 and a user A's private key (dO 1 18 In accordance with a single digital signature 
generation algorithm (AL^ 105 to be subsequently sent to the user B's peraonal computer 103 via the network 101 . In 
this conjunction, "r^ and "Si" of the user A's signature (r^. Si) 11 1 are defined as a first tally and a second tally, respec- 
tively. In the user B's personal computer 103. authenticity of the user A's issued document 109 composed of a set of 
the user A s created document (M^ 110 and the user A's signature (r^ s^) 1 11 Is verified by using a base point or sys- 
tem key (P) 119 and a user A's public key {Q^) 120 in accordance with a single digital signature verification algorithm 
(ALi ) 1 06 and at the same time, a user As and B's nultiple signature (r,. r2. Sj) 1 13 is generated for the user A s cre- 
ated document (M^) (I.e.. document M^ created by user A) 1 15, the user A's signature (r^. s,) 1 1 1 and a user B's addi- 
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tion such as commerrt (Mg) 114 by using the base point (P) 119 and the user B's private key (dg) 121 in accordance with 
a dupie digital signature generation algorithm (ALg) 1 07 to be subsequently sent to the user Cs persona) computer 1 04 
via the network 101. In the user Cs personal computer 104. authwiticity of the user B's issued document 112 com- 
posed of the set of the user A's created document (M|) 1 15 and the user B's addtion or comment (Mg) 1 14 as well as 
the user A s and B's multiple (duple) signature (r,. rg. Sg) 1 13 is verified by using the base point (P) 122. a user A s public 
key (Qi) 1 23 and a user B's pubUc key (Qa) 1 24 in accordance with a duple digital signature verification algorithm ( ALg ) 
108. 

Figure 2A is a block diagram showing a system configuration of the single cfigital sigiature generation/verification 
system shown in Fig. 1 and Fig. 2B is a flow chart for Illustrating the processing for the single dgital signature genera- 
tion algorithm (ALi) 105 mentioned prevtously in conjunction with the system shown in Fig. 1. Desaiption will now be 
made by reference to Figs. 2A and 2B. 

The system configuration shown in Fig. 2A bears correspondence to the one shown in Fig. 9. It can be seen that 
the formerdiffers from the latter in respect to the algorithm in the digital signature generating blocte 1031 and 1032. the 
algorithm in the digital signature verifying block 1 026 and the output algorithm in the block 1 024. 

SinnIP Diottai Riffnatiirft Qeneration Algorithm (AL^ IPS 



Step 201 : Processing for executing this algorithm (ALi) 105 is started. 

Step 202: The user A's created document (M^) 11 0, the base point (P) 1 1 7 and the user A's private key (d1 ) 1 1 8 are 

20 inputted. 

Step 203: A random number k^ of /h bits is generated. 

Step 204: Computation is periormed for determining k^P ■ (x^. y^). 

Step 205: Hash value r^ (« h{x^)) of bits is computed. 

Step 206: Hash value ei (« H(Mi)) of /h bits is computed. 

25 Step207: Computation is periormed for deternrvning a tally Si in accordance with s^ « k^ *i>di(ei ^r^ (modn). 

Step 208: Value of the single digital signature (ri. Si) 1 1 1 is oulputted. 

Step 209: The processing is terminated. 

The single digital signature generated through the processing descrtoed above corresporvis to an electronic image 
30 Of a seal (*hanko" in Japanese) impressed on the message Mi the user A. In other words, the single digital signature 
(r V si ) can be generated only when the private key di equivalent to the seal kept only by the user A is used for the mes- 
sage as furnished. 

Figure 3 is a flow chart for illustrating a processing for the single digital signature verification algorithm (AL^*) 106 
in conjunction with the system shown in Fig. 1. Description wiD now be made fc)y reference to Fig. 3. 

35 

Single Diortai Signature Vertficatjon Aloorithrn (AL^'^ 106 
Step 301 : Processing is started. 

Step 302: The user A's created document (Mi) 110 and the single digital signature (ri. Si) 11 1 is inputted. 
40 Step 303 : The system key (P) 1 1 9 and the piMc key (Qi) 1 20 are ir^utted. 
Step 304: Hash value e^ b H(Mi) of /h bits is computed. 

Step 305: Corhputation is performed for determining a first point on an elliptic curve. i.e.. a first elliptic point (xi. yi) 

= SiP-{ei+ri)Qv 
Step 306: A numeric value r^' » h(xi) is computed. 
45 Step 307: When the condition that r^ « r/ is met. the processing proceeds to a step 308 while if otherwise to a step 

310. 

Step 308: A signal or data "authenticated** is outputted. 

Step 309 : The first elliptic point (x^ . y^ ) is outputted. wtiereon the processing proceeds to a step 311. 
Step 310: "Not authenticated" is outputted 
£0 Step 311: The processing is then terminated. 

Through the processing described above, it can be confirmed whether or not the single or simple digital signature 
(r^ . Si ) is a correct signature, i.e.. whether or not the single digital signature (ri, Si) con'esponds to the correct or true 
seal image. More specifically, upon reception of the message and the single or simple digital signature (r^. s^. the 
55 user B (or user B's computer) checks to oonfimi the authenticity of the digital signature t>y referencing the public key 
which corresponds to the registered seal ("hanko"). 

Figure 4 is a flow chart for iliustrating a processing for the duple digital signature generation algorithm (AL^) 1^^ 
conjunction with the system shown in Fig. 1 . Description will now be made by reference to Fig. 4. 
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Step 401 : Processing is started. 

Step 402: User B*s addition or conment (M2) 1 1 4. Ihe base point (or system key) (P) 11 9 and the user B's private 

Key (d2) 121 are inputted. 

Step 403: The first point (x,, yi) on the eUiptic curve oulputted in the step 309 is fetched. 

Step 404: A random number l4 of /h Ms is generated. 

Step 405: Apoint(x.y)»k2Pisconfputed. 

Step 406: A second point (X2, iii • (x,, yi) + (x, y) is computed. 

Step 407: Hash value f2 ■ h(X2) of bits is computed. 

Step 408: Hash value ^ « H(M2) of Ih bits is computed 

Step 409: Conputation for determinng a tally given by S2 - s, k2 + d2(e2 + r, ♦ rj) (mod n) is performed. 

Step 410: Value or the duple dgitalsignaiLffe(ri,r2. 82) 113 is outputtad. 

Step411: The processing comes to an end. 

The duple digital signature (r^ . ra. 62) generated through the processing described above corresponds to the seal 
image impressed on a whole document prepared by adding the user B's comment or addition (Mg) 1 1 4 to the message 
(Ml ) 1 1 0 created by the user A and affixed with the single digital signature (r^ , Si) 1 1 1 . More specifically, when the mes- 
sage Ml created by other person (user A) and affixed with the other person's single digital signature or the user A s sin- 
gle digital signature (rv s^) in the case of the fliustrated example Is received by the user B and when the user B wants 
to add the comment M2, the duple digital signature (r,. r2. 82) is generated, which incficates that the seal is impressed 
for the whole document by using the private key d2 corresponding to the seal which only the user B possesses. 

Figure 5 is a flow chart for illustrating a processing for a duple digital signature verification algorithm (AL2 ) 108 in 
cot ijunction with the system shewn in Fig. 1 . Description will now be made by reference to Fig. 5. 

Dut^le Digital Stonatu'e Verification Alerorithm f AL^1 108 



Step 501: 
Step 502: 

Step 503: 

Step 504 
Step 505: 
Step 506 
Step 507 
Step 506 
Step 509: 
Step 510 
Step 51 1 
Step 512 



Processing is started. 

The user As created dooiment (M^) 1 15. the user B'S added comment or addition (M2) 1 14. and the 
duple digital signature (r^ . r2t 82) 1 13 are inputted. 

The base point or system key (P) 122, the user A*s public key (Qi) 123 and the user B's public key (Q2) 
124 are inputted. 

A hash value e^ b t-i(Mi) of bits is computed. 
A hash value « H(M2) of bits is computed. 

A second elliptic point given k>y (X2. y2) " 82P * (®i 'i^-^^y -^ifih ^ computed. 
A numerical value t2 = h(X2) is computed. 

When r2 » t^^ f processing proceeds to a step 509, and if othenmse, to a step 51 1 . 
A signal "authenticated" is outputted. 

The second elliptic point (xj. yz) is outputted, whereon the processing proceeds to a step 512. 
A signal or data "not authenticated" is outputted. 
The processing comes to an end. 



Through the processing described above, it is confirmed whether or not the diple digital signature (r^, Sj) is a 
correct signature, i.e. , whether or not the duple digital signature (r^ , r2, S2) corresponds to the correct or true seal image. 
More specifically, upon reception of the message M^ message M2 and the duple digital signature (r^ S2). the user 
C checks to confirm that the digital signature is made authentically by the very users A and B by referencing the public 
keys Qi and Q2 which correspond to the registered seals. In that case, the user C can confirm the authenticity of the 
digital signature without using either the private key d^ corresponding to the user A's seal or the private key d2 corre- 
sponding to the user B's seal. 

in the foregoing, generation of the duple digital signature by using two private keys d^ and d2 has been descrit)ed 
as an exemplary embodiment of the invention. In this conjunction, it should be mentioned that the principle underlying 
the digital signature generating/verifying method described above can be extended in general for the generation of an 
N-tuple digital signature generated by using N private keys d^, d2 dN. 

Figure 6 is a block diagram showing a computer network configuration according to another embodiment of the 
invention on the assumption that the system is expanded so as to enable triple digital signatures, i.e.. N » 3. Refemng 
to the figure, there are newly connected to the network 101 . a user D's personal computer 606 in addition to the user 
A s personal computer 102. the user B's personal computer 103 and the user Cs personal computer 104. Set up newly 
in the user C's personal computer 104 in addition to the dual digital signature verification algorithm (AL2') 108. the sys- 
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tern key or base point (P) 122. the user A*s public key (Qi) 123 and the user ffe public key (Q2) 124 are a triple digital 
signature generation algorithm (AL<,) 604 and a user C% private key {d^ 605. The user Cs personal computer 1 04 ae- 
ates a user C's issued document 601 and sends it to the user D-s pereonal computer 606. The user C's issued docu- 
ment 601 contains newly a user Cs addition or comment (M3) 603 and users A^s. B s and C's signatures (r, rj. rj. S3) 
* 602 in addition to the user A s created document (Mi) 613, the user B's addition such as a comment (Mg) 614 and a 
" user As and B s signatures (r.. to. Sg) 612. Set ip in the user D*s personal computer 606 are a triple digital signature 
verification algorithm (AL3l 607. a base poirt (FO 608. the «^ 
and the user C's public key (Q3) 61 1 . . 

Figure 7 is a flow chart for iBustrating a processing for the triple digital signature generation algorithm (AL3) 604 
10 executed by the user C's personal computer 104 shown in Fig. 6.; 

Tripht Pfflit"' Generation Ataorithm (AL^) 604 

Step 701 : Processing is started. , - - 

IS Step 702: The user C s adcfition or comment (M3) 603. the private key (da) 605. the base point (P) 122 and the duple 
digital signature (r^ ra* S2) 612 are inputted. 

Step 703: Second elliptic point (X2. y2) outputted in the step 510 is fetched. 

Step 704: A random number ka of ^4 bits is generated. 

Step 705: A point kgP ■ (x. y) is confuted 

20 Step 706: Coordinates (X3. ya) = (X2, y2) + (x, y) are computed. 

Step 707: A hash value ra « h(x3) of bits is computed. 

Step 708: A hash value - H(M3) of /h bits is computed. 

Step 709: A tally S3 - S2 + *^ + dales + ri + rg + ra) (mod n) is computed. 

Step 710: Value of the triple digital signature (r^ tz* fa, S3) 602 is outputted. 

25 Step 411: The processing is terminated. 

The triple digital signature (ri . rg. rg, S3) generated through the processing described above conesponds to the seal 
image impressed on a whole document obtained by adding the user C's comment or addition M3 to the messages 
and M2 affixed with the users A and B*s multiple digital signatures (r^. ra. Sa). More specifically, when the messages 
30 and M2 affixed with other users' multiple digital signature (i.e.. the users As and Bs' multiple digital signatures in the 
case of the illustrated example) (ri. ra. Sa) are received by a user (i.e.. user C) and when the user C wants to add the 
comment M3. the triple digital signature (r,, ra. ra, S3) can be generated for the whoie document aeated by the users A 
and B and added with the comment M3 by the user C only by using a private key d3 conesponding to the seal which 
only the user C possesses. 

35 Figure 8 is a flow chart for illustrating a processing for the triple digital signature verification algorithm (ALa*) 607 
executed by the user D's personal computer 606 in conjunction with the syst^n shown in Rg. 6. Description will now 
be made by reference to Fig. 8. 
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Triple Diaital Signature Verification Algorithm (AL^l 607 



Step 801 : Processing is started. 

Step 802: The user As created document (Mt) 613. the user B*s acMition or comment (Ma) 614. the user C's addition 

or comment (M3) 603 and the triple digital signature (r^ ra. ra. S3) 602 is inputted. 

Step 803: The base point (P) 608. the user As public key (Q^) 609. the user B's pMic key (Qa) 610 and the user 

45 C's public key (Q3) 61 1 are inputted. 

Step 804: A hash value e^ » H(Mi) of /h bits is computed. 

Step 805: A hash value ea « H(Ma) of /h bits is computed. 

Step 806: A hash value ea » H(M3) of /h bits is computed. 

Step 807: A third point on the elliptic curve. i.e.. a third elliptic point (X3, ys) o 63P - (e^ -i- r^)Q^ - (oa + r^ <f r2)Q2 -(63 

50 4 r^ -«> r3)Q3 is computed. 



Step 808 
Step 809 
Step 810 
Step 811 
Step 812 
Step 813 



Tally ra' = h(x3) is computed. 

When fa' s r3. the processing proceeds to a step 810. and if othenMse. proceeds to a step 812. 
Signal "authenticated" is outputted. 

The third elliptic point (X3. y3) is outputted. whereon the processing proceeds to a step 813. 
Signal "not autiienticated* Is outputted. 
The processing comes to an end. 



Through the processing described above, it is confirmed whether or not the triple digital signature (r^. ra. r3. &3) is 
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a correct signature, i.e.. whether or not the triple (figital signature (r, . r2, rg. 83) corresponds to the correct or true seat 
image More specifically, upon reckon of the message the message M2, the message M3 and the triple digital 
signature (ri. rg. rs, 83). the user D can check to confirm whether or not the digital signatures have been made by the 
very users A. B and C by referencing the public keys Q,. Q2 and Q3 which correspond to the registered seals Chanto") 
of the users A, B and C, respectively. 

The above-mentioned digital signature generationAferification method can be expanded to the case where N is 
equal to or greater than "4" (tour). In olher vwmte in general, a digital signature generatingAwifying method for verifying 
electronically a multiple digital signature affixed to messages andtor commenls Mj created and/or added by N users (i 
B 1, .... N) can be carried out in general as folkM«: 

Prnfyri..fp ter Vi>fiffving MuHinlft t^fiHal Signature hv 1 teftffi 1 f2 ^ i ^ ffl 



Step 901: Processing is started. 

Step 902: The (i - 1 ) messages or comments Mi Mj., and the fi • 1)-tuple cfigital signature (r, ^ Sj.,) issued 

t>y an immediately preceding user (i - 1) are received. 
Step 903: Corrputation of a hash value - H(MO is repeated for the user (i • 1) starting from k « 1 . 
Step 904: Public keys Qk previously generated for satisfying - dkP and registered are inputted repetitionally for 

the user fi - 1) starting from k s 1. 
Step 905: A point (Xj.,. yj-i) on the eOiptic curve given by the following BxprBsmm (5) is computed. 

M M-1 



Step 906: A hash value r^^* » h(Xj.O is confuted. 

Step 907: When r^., « r^i'. then data or signal indicating "authenticated" is issued. 

Step 908: Point (x^.^. yi.i) on the eBiptic curve is outputted, whereon the processing proceeds to a step 910. 

Step 909: If r{.i ^ r^^^. data indcating "not-authenticated" is issued. 

Step 91 0: The processing comes to an end. 

In other words, the digrtai signature generation/verification method for generating electronically the multiple digital 

signature affixed to messages and/or comments (\.e„ document) M\ created or added by N users (i » 1 N) can be 

performed as follovys: 



Generation Procedure of Multioie Digital Signature bv Users i f2 ^ i < fsft 



Processing is started. 

The point (x^v Yj.^) obtained at the step 908 is inputted. 

A hash value e^ & H(Mi) is computed. 

A random number is generated. 

Point kjP B (x, y) is computed. 

Point (Xi, yi) = (x^.^ Y|.i) + (x, y) are computed. 

A hash value r^ « h(Xj) is corrputed. 

By using private keys dj. the tally Sj given by the following expression is determined. 



Sf = S/.^ + /c/ + df (e, + 5; r^) (mod n) 



Step 1 009: A set of the numerical values (r^ r; Sj) is outputted as the digital signature. 

The embodiments of the invention described by reference to Figs. 3 to 5 are directed to the multiple digital signature 
realized by making use of the addition defined on the elliptic curve. However, in general, such multiple digital signature 
can equally be realized by resorting to binary operation defined on the abelian group. 

By way of example, in a set of integers from "1" to "n • r (where n represents a large prime number on the order 
of 1 ,000 bits), multiplication is defined in the worfo of modulo n. Then. Zn represents an abelian group. The base point 
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P (1 < P < n) is selected appropriately with the private key fl and the piisltc key Q being so selected that the following 
relation can apply valid: 

Q-P*^(mDdn) (1) 

In conjunction with the above egression (1), It Is noted that the problem of deteminino d tor given values of Q. P 
and n represents a discrete logarithm problem which is difffkailt to solve in view of the computational overhead when the 
value of Q is large 

On the presunption mentioned above, the single digital signature generation algorithm (ALf) 105 descnbed previ- 
ously by reference to Fig. 2, for exarrple. is modified as follows: 

Single Diflital S fgnatura Generation Ateorithm fAL^^ 

Step 201: The processing Is started. 

Step 202: The user A's created document . the base point P and the private key d1 are inputted. 

Step 203: A random nunrt)er or integer k^ of /h bits is g&ierated. 

Step 204: Connputation is pertormed for determining « P^^ . 

Step 205: Ahashvaluert -h(xi)of 4V2bitsisoompttfed. 

Step 206: A hash value e^ « H(Mi) of bits is computed. 

Step 207: Computation is pertormed for determining the tally s^ ■ k^ 6^{e^ -f r^) (mod n). 

Step 208: Value d the single digital signalura (r^ Si) is outputted. 

Step 209: The processing comes to an end. 

The single digital signature (r^, s^) obtained, being modified as mentioned atxsve. brings about advantageous 
effects similar to those obtained in the digital signature generaling^erifying method described hereinbefore by refer- 
ence to Fig. 2. Similar modification of the muWple digital signatures can provide similar advantages as those mentioned 
hereinbefore. 

With the an-angements of the digital signature generatingA^erifying systems described above, there can be assured 
such advantageous effects as mentioned below 

( 1) It is impossible to forge a digital signature of other person without knowing the other person's private key. Secu- 
rity concerning the forgery prevention of the single (figital signature (r^, &|) will be demonstrated by the proposition 

1 described hereinafter. 

(2) The length of the digital signature can be shortened. By way of example, assuming that the order q is 160 bits 
and that the length of the output value of the total hash function H Is 160 bits, then the length of the single digital 
signature in the conventional system is 240 bits. By contrast, in the case of the systems according to the invention, 
the length of the single digital signature is 240 bits. Furthermore, the length of the duple digital signature in the con- 
ventional system is 640 bits, whereas in the systems according to the tnventioa it is only 320 bits. In general, in the 
case where the N-tuple digital signature is affixed, the total length of the digital signatures is of 320 x N bits, 
whereas in the system according to the present invention, It is 1 60 •«> 80 x N bits. Thus, when the value of N is targe, 
the length of the digital signature according to the invention can be reduced by ca. 1 M when compared with the sig- 
nature length in the conventional system. In ottier words, the lengtii of the digital signature can be significantly 
reduced according to the teachings of the invention. 

(3) According to the invention, it is possitale to make the lengtii of the digital signature bB independent of the length 
of the order n. Assuming now that the length of the output of the total hash functton H is sufficiently greater than 
that of the random integer k. the length of the tally s of the signature can k>e sufi^ressed smaller than the length of 
the outputs of the total hash function H plus the length of the private key d- Thus, independent of the length of the 
order n. the length of the N-tuple digital signatures can be made to be not greater than Ihe length of the output of 
the whole hash function H -i- private key d -** N x length of the output of the half-hash function h*. 

In each of the digital signature generationA/erification system according to the ent>odiment of the invention 
described above, the processing steps of executing the digital signature generating method can be stored in the form 
of a programs in a recording medium such as a CD-ROM. a floppy-disk, a semiconductor memory or the like, wherein 
the program can be loaded and executed in a computer for generating the digital signature for thereby generating the 
digital signature. Similarly, the processing steps included in the Input digital signature verifying method can be loaded 
in the computer for the digital signature verification in the form of a program to be executed for verifying the digital sig- 
nature. Needless to say. the digital signature generating/verifying program mentioned above may be down-loaded to cli- 
ent personal computers from the server computer. 
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Lemma (Subsid iary Pmtxisition) 1 

rt is presumed that H represents a hash function having a one^y property, the algorithm AL is not dHf icuJt to exe- 
cute In view of the computational overhead and that data generated without resorting to the use of the hash function is 
irputted to ther^y generate on a memory in the course of computation the numerical values of 2 and y which satisfy 
the equation "y - H(x)". In that presumed case, the numerical value i can never mato appearance on the memory so 
long as the numerical value X has not nriade appearance ever on the memory in the pa^ 

Dflmonstration 

Demonstration will be made by resorting to "reducfio ad absurdum (reduction to absurdity)" or irrationality. It is 
assumed that the value y satisfying the function y - H(x) has made appearance on the memory in precedence to the 
value 2. However, since the hash function H is of the one^y properly, oonputation for the reverse transformation of 
the hash function H. i.e.. x - H-^(y) is impossibie. Acconfingly. in order to generate the value x on the memory, it is nec- 
essary to supply externally such input data from which the value 2 capable of satisfying the hash function y « H(x). 
which however contradicts to the inputting of the data generated without using the hash function H. 

The Demonstration of the lemma 1 is now concluded. 

Prpppgittpn 1 

It is presumed that the discrete logarithm problem concerning the addition on the elliptic curve can not be solved. 
Additionally it is assumed that the hash function H( • ) of Ws has collision-free property as well as the one-way prop- 
erty. Furthemiore, It is presumed that the hash function h( •) of bits has also the one-way property. In that case, 
when /n ^ ^H. there exists no algorithm AL^ which can output in response to the inputting of the base point (system key) 
P and the putriic Key the message and the single digital signature (r^ 81) for which the algorithm AL^ outputs 
'authenticate" so long as the private key d^ is untoiown. 

Pemonstration 

Now. it is supposed that such algorithm AL3 exists which can output in response to the inputted system key or base 
point P and the public key Qi . the message Mi and the single digital signature (ri . Si) tor which the verification process- 
ing ALi' outputs "authenticate" without knowing the private key d^ More specifically. It is supposed that such algorithm 
AL3 exists for which the inputs and the outputs are as follows: 

Input to the algorithm AL3: 

system key (base point) P. and putalic key 

Output from the algorithm AL3 : 

message single digital signature (r^ 81) 

where the message M^ and the single digital signature (r^ Si) satisfy the following conditions: 

(Xvyi)-SiP-(ei+ri)Qi (2) 
ri.h(x,) (3) 
e,«H(M,) (4) 

It should be noted that ^ holds true. 

On the conditions mentioned above, the number of the outputs from the algorithm AL3 is three, i.e.. M^ . Si and . 
Accordingly, in the course of the processing according to the algorithm AL3. the con'ect output values make appearance 
in either one of the orders or sequences mentioned below: 

Case 1 : Connect output values make appearance in the sequence of Si , r^ and M^ . 

Case 2: Con^ect output values make appearance in the sequence of r^ , s^ and M^ . 

Case 3: Correct output values make appearance in the sequence of s^ M^ and r^ . 

Case 4: Correct output values make appearance in the sequence of M^, s<| and r^. 

Case 5: Correct output values make appearance in the sequence of r^ . M^ and ^ . 

Case 6: Con^ect output values make appearance in the sequence of Mi. ri and Si. 
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In the cases 1 and 2 mentioned above, the oonrect output values of s, and r, make appearance in precedence with 
the correct value of the message Mi making no appearance at a given time point in the course of the processing. Since 
h in the expression (3) represwits the hash functwn. the correct output value of the tally mist make appearance in 
precedence to that of the tally r^ in the light dl the "Lemma 1 " stated previously. When the value of the tally x, is deter- 

s mined the value of the tally yi assumes either one of two values ±p because the term (x, . yi) in the expression (2) rep- 
resents a point on the elliptic cun^e E. In correspondence to the value +p or -p of the tally y, , the hash value e, which 
can satisfy the condition given by the expression (2) is fimlted to two different values. After the time point of concern, 
the message f^^ satisfying the condition given by the expression (4) so that the hash value e^ assumes efther one of 
the two value must be detenrtned. which however contradicts to the fact that 'H" in the expression (4) represents the 

,0 hash function. Accordingly, the situations corresponding to the Casee 1 and 2 can not take place. 

In the Cases 3 and 4 mentioned above, the con-ect output value of Si and the message Mi make appearance in 
precedence with the correct value of the con'ect output value ri making no appearance at a given time point in the 
course of the processing. At this time point, the hash value ei can be detennined definitely in accordance with the 
expression (4). After this time point the value of the tally r, satisfying the conditicm ^en by the expressions (2) and 

15 (3) must be determined. However, it vinll never occur that the correct output value of the tally r, makes appearance at 
first, being foilowed by determination of the value for the coordinate Xi. This is because "h" in the expression (3) repre- 
sents the hash function. Besides, such case will not occur m which the correct output value of Xi makes appearance in 
precedence and thereafterthe value of ri isdetemvned. Because. If othenmse. the disaete logarithm problem concern- 
ing the addition on the ellipse can be solved in corijunction with the expression (2). which contradicts the proposition 

20 Stated hereinbefore. In other words, the value of ri can not be determined at any time point. Thus, the situations corre- 
spondng to the Cases 3 and 4 can not occur. 

In the Cases 5 and 6 mentioned above, the correct output values of the tally ri and the message Mi make appear- 
ance in precedence with the correct value of the tally Si maMng no appearance at a given time point in the course of 
the processing. At this given time point, the hash value ei can be detennined definitely in accordance with the expres- 

25 sion (4). Alter this time point, the value of the taUy Si satisfying the conditions given by the expressions (2) and (3) must 
be determined. However, it will never occur that the connect output value of the taiysi makes appearance at first, being 
then followed by determination of the value for the coordinate x^ This is because "h" in the expression (3) represents 
the hash function and the con'ect output value of xi can make appearance before the output value of r*, is determined 
precedingly. Besides, such case will not occur in which the conect output value of xi makes af^aearance in precedence 

30 and thereafter the value of &| is detennined. Because, if otherwise, the repression (2) can be solved concerning the 
unknown &i , that Is. the discrete bgarithm problem concerning the addition on the ellipse can be solved, which contra- 
dicts however the proposition stated hereinbefore. In other words, the value of Si can not be determined at any time 
point. Thus, the situations corresponding to the Cases 5 and 6 can not occur. 

Thus, there occurs none of the situations corresponding to the Cases 1 to 6 mentioned previously Thus, the algo- 

25 rithm AL3 does not exist. 

Now. the demonstration is concluded. 

By the way. it should be noted that in conjunction with the demonstration of the Proposition 1 that the algorithm AL3 
may exist unless the Proposition 1 that ^ applies valid. 

To say in another way. if the concfition /„ < should hold true, there may arise such situation that the message Mi 
<o and the single digital signature (r^ . Si) for which the single digital signature verifying algorithm ALi* outputs "authenti- 
cated' can be generated without knowing the private key d. 

By way of example, let's suppose that in the computation "s » K -f d(r -1- e) (mod n)", the value of Is small and 
hence the value of n is small. Then, the collision-tree pmperty of hash value g & H(M) (mod n) may collapse, incurring 
such case where computation is performed eu^ that the tally g can assume a same value for messages M and M* not- 
<s withstanding of the fact that the message M is not same as the message M'. i.e.. M M*. as exemplified laetow. 

Let s suppose, by way of example, that the messages M and M* are written applications for purchasing a car. 
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Message M 

To FT J#6*GH Sales Company 

I will purchase the car A at 1,050,000 yens. 

To be signed by Takaraoi 



Message 

To IG#- Hy8(Jk) Sales Company 

I will purchase the car A at 2,050,000 yens. 

To be signed bv Takaraai 



Again suppose that the malicious sales company prepared the written application for purchase such as the mes- 
sage M and handed it over to Mr. Takaragi under the felse pretense that the leading character string TT J# • GH" is 
added for the purpose of ensuring security and that Mr. Tateragi signed the written application (message M) with pleas- 
es ure because of low price of the car A. Later on. Mr. Takaragi receives a tiW demanding payment of 2.050.000 yens 
together with the exhittt of the message M* affixed with his signature, to his great surprise. However, verification of the 
message M' shows that Mr. Taloragi has signed the written application or message M'. 

In order to exclude positively the injustice such as mentioned above, it is necessary that H represents the hash 
function which has not only the one-way properly but also the cdlision-free property and that the paiameter n relevant 
30 to the elliptic curve relation is assigned with a large value tor validating the condition that in ^ 'h- 

It should be additionally mentioned in conjunction wilh the "Demonstrafion" descrit)ed above that the hash function 
h may be only of the one-way property and need not necessarily have the collision-free ptop&tf. However, in case the 
hash function h is not of the one-way property, the values which can satisfy the conditfon given by the expression (3) 
may be found by arithmetically detemiirvng a variety of values for x by changing fi and M while fixing £ in the e3q3ression 
35 (2). The message M and the signature (s, r) found in this way may constitute forged message and signature. For this 
reason, it is necessarily required that the hash function b is of the one-way property. 

Moreover according to the teaching of the invention, the length of the digital signature can be shortened. 
More specifically the single digital signature (r^ Si) has a bit length equal to (^-O- 240 bits), and thus the 

length of the signature can be shortened when corrpared with the corwerrtional signature length (e.g. 320 bits). 
40 Furthermore, the length of the duple digital signature (r^ T2, S2) Is (/p 4 l^/Z) tints (e.g. 320 bits), which is signif- 
icantly shorter than the length of the conventional signature /„ (B.g- 480 bits). 

PrppQsition 2 

45 It is presumed that the discrete logarithm problem concerning the addition on the elliptic curve can not be solved. 
Additionally, it is assumed that the hash function H( • ) of /h bits has the collision-free pn^erty as well as the one-way 
property. Furthermore, it is presumed that the hash function h( • ) of bits has the one-way property as well. In that 
case, so long as ^ . there exists no algorithm AL4 wfiich can output the duple digital signature (r^ . r2. S2) tor which 
the algorithm AL2 outputs "authenticated" without knowing the private key d^. 

50 

Demonstration 

Now. it is supposed that such algorithm AL4 exists which generates the duple digital signature (r^ . r2. S2) for which 
the verification processing according to the algorithm AL2' outputs "authenticated" without knowing both the private key 
55 di and the private key d2. Namely, presumption is made as follows: 

Input to the processing AL4: 

system key (base point) P. and public keys and 02. and 
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Output from the processing AU: 

messages Mi and M2,*jpledjQilal signature {ri,r2.fi2^ 

where the duple digital signature (r^ . Sa) satisfies the following conditions: 

e,-H(M,) (4) 

:r: r eg-HC^^a) 

TO (x2.y2)-82P-(ei+ri)Qi -(e2'W,+r2)Q2 (6) 

r2«h(x2) D 

In the course of executing the processing acoorcfing to the algorithm AL^. the correct output values make appear- 
75 ance in either one of the sequences mentioned below: 

Case 1 : Con-ect output values make appearance in the sequence of 82, r^ and r2. 

Case 2: Correct Output values make appearance in the sequence of ri , 82 and r2. 

Case 3 : Connect output values make appearance in the sequence of S2. r2 and r^ . 

20 Case 4: Con-ect output values make appearance in the sequence of r2. 82 and r^ . 

Case 5: Con'ect output values make appearance in the sequence of r^, r2 and 82. 

Case 6: Correct output values make appearance in the sequence of r2, r^ and 82. 

In conjunction with the Case 1 to S mentioned above, it is noted that the computation sequence that the correct out- 
25 put value of the tally r2 is determined in accordance with the expression (7) only after the correct output value of the 
coordinate 2 has made appearance is common to all the Case 1 to 6. H othenwise, it contradcts the presumption that 
the hash function h is of the one-way property. 

Additionally, the corrputation sequence that the hash values 61 and e2 are determined In accordance with the 
expressions (4) and (5), respectively, only after the correct output values of the messages and M2 have made 
30 appearance is also common to the all the aforementioned Cases 1 to 6. If othenwise, it contradicts the presumption that 
the hash function H is of tiie one-way property and collision-free. 

in the Cases 1 and 2, the con-ect output values of the tallies 82 and r^ make appearance at first at a given time point 
in the course of executing the processing whereas the correct output value of the tally r2 makes no appearance. After 
the abovennentioned given time point the tally r2 which satisfies tiie condition given by the expression (6) must be 
35 determined. In this conjunctioa however, the fdlowlng facts (a), (b) and (c) have to be taken into account 



(a) Such situation does not occur in which the correct output value of the tally r2 makes appearance finally after the 
appearance of the correct hash values e^ and e2. More specifically the computation sequence in this case will be 
such that the value of the coordinate X2 is determined and then the tally r2 detenmined. However, this means that 

40 the equation (6) can be solved with the tally r2 as the unknown, which contradicts the presumption that the discrete 
logarithm problem on tiie elliptic curve is insolvabie. 

(b) Such situation can not occur tiiat the correct hash value 62 is outputted only after the appearance of tiie correct 
output values for the hash value ei and the tally r2. because, if otherwise, the equation (6) is solved with the hash 
value 62 as the unl^own. which contradicts tiie presumption tiiat the discrete logarithm problem on the elliptic 

45 curve Is insolvabie. 

(c) Such situation can not occur that the correct output value for ttie hash value e^ makes appearance only after 
the appearance of the con'ect output vdtages for the hash value 02 and the tally r2. because, if ottierwise. the equa- 
tion (6) Is solved with the hash value 62 as the unknown, which of course contiadicts the presumption that the dis- 
crete logarithm problem on the elliptic curve is insolvabie. 

50 

in the Cases 3 and 4, tiie con-ect Output values of the tallies &2. r2 and Xg make appearance at first at a given time 
point in the course of executing the processing, whereas the correct output value of the tally r2 makes no appearance. 
After the above-mentioned given time point, the tally r^ which satisfies the condition given by the expression (6) must 
be determined. Such situation does not occur in which tiie con'ect output value of the tally r^ makes appearance finally 
55 after the appearance of the con'ect hash values e^ and e2. Supposing that the con'ect output value for the hash value 
62 makes appearance finally, then it follows: 

(i) If the private keys d^ and d2 are toiown. the es^ression (6) can be modified as follows: 
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(X2.y2)«{62-«li(ei-Wi))P-(e2+f,+r2)Q2 (8) 

The above equation (8) Is sotvabie wMh a tally r, as the unloiowi. which of course contracficts the presumption that 
the disaete logarithm problem ori the elfiplie curve IS insolvabia 

(it) ff the private key da is known with the private Key di being unknown, the expression (6) can be modified as fol- 
bws: ' 

(X2..y2)-<S2-d2(e2*fi+r2)}P-(ei+r,)Q, (9) 

The above equation (9) is solvable wHh the tally ri as the unknown, which is in contradiction to the presumption that 
the discrete logarithm problem on the elliptic curve is solvable. 

(iii) When neither the private key d2 nor the private key di is Imown. the equation (6) is solvable with the tally r, as 
the unknown, which is in contradiction to the presumed insolvabifity of the cfecrete logarithm problem on the elliptic 
curve. 

In view of the foregoing, it can be concluded that the con-ect output value for the tally r^ can not make appearance 
finally after the output of the connect hash values e^ and 62. 

(b) Such situation can not occur that the correct output value for the hash value ei makes appearance only after 
20 the appearance of the con^ect output voltages for the hash value e^ and the tafly , because, if otherwise, the equa- 
tion (6) is solved with the hash value ei as the unknown, which of course contradicts the presumption that the dis- 
crete logarithm problem on the eliiplic curve is insolvable. 

(c) Such situaton can not occur that the correct output value for the hash value ei nukes appearance only after 
the appearance of the correct output voltages for the hash value e^ and the taBy r^ . because, if otherwise, the equa- 
ls tion (6) is solved with the hash value e2 as the unknown, which of course contradicts the presumption that the dis- 
crete logarithm problem on the elliptic curve is insolvable. Thus. Cases 3 and 4 can not occur. 

in the Cases 5 and 6. the con'ect output values of tfie tallies ri. r2 and X2 make appearance at first at a given time 
point in the course of executing the processing whereas the con^ect output value of the tally S2 makes no appearance. 

30 After the above-mentioned given time point the tally 62 which satisfies the condition given by the expression (6) must 
be determined. In this conjunction, however, the following tacts (a), (b) and (c) have to be taken into account However, 
in that case, (a) such situation does not occur in which the con-ect output value of the tally S2 makes appearance finally 
after the appearance of the correct hash values e^ and e2. Because, this means ttiat the equation (6) can be solved with 
the tally $2 as the unl^own. which contradicts the presumption that the discrete logarithm prot)lem on the elliptic curve 

35 is insolvable. Further, (b) such situation can not occur that the correct hash value e2 is outputted only after the appear- 
ance of the correct output values tor the hash value e^ and the tally S2. because, if othenwise. the equation (6) is solved 
with the hash value e2 as the unknown, which contradicts the presurrption that the discrete logarithm problem on the 
elliptic curve is insolvable. Furthermore, (c) such situation can not occur that the con-ect output value for the hash value 
6^ makes appearance only after the appearance of the con-ect output voltages for the hash value 63 and the tally S2. 

40 because, if otherwise, the equation (6) is solved with the hash value e^ as the unknown, which of course contradicts the 
presumption that the discrete logarithm problem on the elliptic curve is insdvabla Thus. Cases 5 and 6 can not occur. 

From the foregoing, it is concluded that none of the Cases 1 to 6 can occur and thus the algorithm AU4 does not 
exist 

Now. the demonstration is concluded. 
45 As will now be appreciated from the foregoing description, there have been provkjed a public key encryption 
method of high security and a system for carrying out the same. 

Further, with the puWIc key encryption method and the system according to the invention, the length of the digital 
signature can be shortened. ' 

Additionally, according to the present invention, the public key encryption method and the system can be so real- 
so ized that the length of the digital signature has no dependency on the length of the order of the base point (system key). 
Many features and advantages of the present invention are apparent from the detailed description and thus it is 
intended by the appended claims to cover all such features and advantages of the system which fall within ttie true spirit 
and scope of the invention. Further, since numerous modifications and combinatfons will readily occur to those skilled 
in the art. it is not intended to limit the invention to the exact construction and operation illustrated and described. 
55 Accordingly, all suitable modifications and equivalents may be resorted to. falling within the spirit and scope of the Inven- 
tion. 
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Claims 

1. A digital signature generating method tor generating a digital signature authenticating electronically a signature 
affixed to a given message (M) by resorting to a public key encryption scheme, comprising the steps of: 

detennining for said message (M) a frst hash value (e) satisfying a condition that e « H(M) by using a first hash 
function (H): 

determining for a numerical value (x) ot>tained from translation of a random number a second hash value (r) 
satisfying a condition that r - h(34 1^ using a second hash function (h) whose output value is shorter than that 
of said first hash function (H); and 

arithmetically detemfiining and outputBng said digital signature by using said first hash value (e) and said sec- 
ond hash value (r) as determined. 

2. A digital signature generating method according to daim 1 , 

wherein for generating a digital signature (r^ . s^ for a given message (M,), said method comprises the steps 

of: 

detennining a hash value (ei) satisfying a condition that ei - H(Mi) bf using a first hash function (H); 
generating a random number (k^); 

determining a point (Ri (« k^P)) by rmjitiplying a point (P) of an abeyan groif) by said random number (k^): 

determining a first numerical value (rt) satisfying a condition that r, - h(R^) by using the second hash function 

(h) whose output value is shorter than the output value of the first hash function (H); 

determining a second numerical value (Si) satisfying a condtion that Si « -i- di (ei 4- r^ (mod n) by using the 

order (n) of said point (P) of said abelian group and a private key (dt); and 

outputting a set of said determine0 numerical values (r^ s^) as a digital signature. 

3. A digital signature generating method according to claim 1 . 

wherein said point (P) of said abelian group corresponds to a base point (P) on an elliptic cun^e. 

4. A digital signature verifying method for verifying a cfigital signature authenticating electronically a signature affixed 
to a given message (M) by resorting to a public key encryption scheme, comprising the steps of: 

determining tor said message (M) a first hash value (e) satisfying a condition that e ^ H(M) by using a first hash 
function (H); 

determining tor a numerical value (x) obtained from arithmetic operation of an inputted digital signature (r. s). 
a public key (Q) and a ba&B point (P) a second hash value (0 satisfying a condition that f « h(x) from said first 
hash value (e). said digital signature (r, s), sakJ base point (P) and scud public key (Q) by using a second hash 
function (h) whose output value is shorter than that of said first hash function (H); and 
comparing said hash value {f) with a tally (r) of saki inputted digital signature to theretjy obtain a result of ver- 
ification of said inputted digital signature. 

5. A digital signature verifying method according to claim 4, 

wherein for verifying a digital signature (r^ . &i } of a given message (Mi ). said method comprises the steps of: 

determining a hash value (e^) satisfying a condition that e^ « H(Mi): 

inputting a public key (Qi) generated previously so as to satisfy a condition ■ d^P. where d^ represents a 
private key. said public key (Q^) having been registered; 

determining arithmetically a point (R^) of an abelian group, said point (R i) being given by Ri s s^P - (e<i -f 

ri)Qi; 

determining a hash value (r^*) satisfying a condition that r^ * » h(Ri); 

outputting a data indicating that said digital signature is authenticated, when sakf hash value (r^ coincides 
with a tally (r) of said digital signature; and 

outputting data indicating that said digital signature is not authenticated unless sakJ hash value (r^') coincides 
with said tally (r^ of said digital signature. 



6. A digital signature verifying method according to claim 5, 

wherein said abelian group includes an elliptic curve. 
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7. A digital signature generating method for generating a mittiple digital signature authenticating electronically signa- 
tures affixed to messages and/or comments (MJ as created and/or added sequemially by N users i (where i « i 

N) by using a public key encryption scheme, comprising the steps of: 

(a) detennining for a given one of said messages (Mj) a first hash value (Oj) satisfying a condition that e; « H(Mi) 
by using a first hash function (H); (b) detmnining for a numerical value (xj obtained 
from translation of a random number a second hash value (rj satisfying a oondiHon that = h(xj by using a 
second hash function (h) whose output value is shorter than that of said first hash function (H); 

(c) executing said computation steps (a) and (b) for each of said users i (where 1-1 N) : and 

(d) determining arithnfielically said muttjple dgital signatures on the basis of the hash values (e, and rj deter- 
mined in said execution step (c). 

8. A multiple digital signature generating method according to daim 7, 

wherein for generating said multiple dgital signature by usere i fi ^ 2), said method comprises the steps of: 

inputting a set of numerical values (x^ , Y^) obtained from translation of random numbers; 

computing a hash value e} ■ H(fA) ; 

generating a random number K; 

computing a point kjP « (x, y); , 

computing a point (Xj. yji ■ (x^^ yj.^) + (x, Y); 

computing a hash value ri « h(Xi) : 

detennining by using a private key (dj) a tally (Sf) satisfying a condition given by following expression: 

/ 

s,»s,.,+/c, + d,(e,+ £r,r) (mod n) ; 

lr«1 



and 

outputting a set of numerical values (r^ t\, sO as said multiple digital signature 

9. A digital signature verifying method for verifying a multiple digital signature authenticating electronically signatures 

affixed to messages and/or comments (Mi) as created and/or added sequentially by N users i (where i s i N) 

by resorting to a public key encryption scheme, comprising the steps of: 

(a) determining for the inputted message (Mi) a first hash value (ej satisfying a condition that e; « H(Mi) by 
using a first hash funcbon (H); 

(b) determining for a numerical value (Xj) obtained by arithmetic operation of an inputted multiple digital signa- 
ture (fi. Sj). a put}lic key (Q) aivd a base point (P). a second hash value {r{) satisfying a condition that fj' h(X|) 
on the basis of said first hash value (e^). said digital signature (ri. Sj). said base point (P) and said public key (Q) 
by using a second hash function (h) whose output value is shorter than that of said first hash function (H); 

(c) executing said steps (a) and (b) for each of said users i (where [ represents integers "I" to "N" inclusive, 
respectively): and 

(d) comparing each of said hash values (r|') determined in said step (c) with each of tallies (r) of said inputted 
multiple digital signature to thereby obtain results of verification of said inputted di^ signature. 

10. A multple digital signature verifying method according to daim 7. 

wherein for generating a multiple digital signature by users i (i ^ 2). said method comprises the steps of: 

inputting (i - 1) messages and/or comments (M^ M^^) and (i - 1)-tuple digital signature (r^ r^^. Si.i) 

issued by an immediately preceding user (i - 1); 

repeating computation of hash values e^ ■ H(M|c). where k represents 1 to (i - 1); 

Inputting repetitionally public keys generated so as to satisfy a condition that Qk » 4(P and registered pre- 
viously, where Is represents 1 to (i - 1); 
conrputing a point (Rj.^) of an abelian group In accordance with 
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computing a hash value rVi « h{Ri.i) ; 

issuing data indicatina "authenticatBd* when said hash value (r^.^ ooinctdes with a tally (ri.i) of said (i * 1 )-tuple 
digital signature Ci.e., %vhen r^.^* - r^.^) ; and 

issuing data indicating "not-authenticated" unless said hash value (ff.^ coincides with said tally (ri.i)(i.e.. when 

1 1 . A digital signature verifying method aocoidtng to daim 10. 

wherein said abelian groip includes an elliptic curve. 

12. A digital signature generating system for generating a digital signature authenticating electronically a signature 
affixed to a given message (M) by resorting to a pxMc ksf encryption scheme, comprising: 

processing means for determining for said message (M) a first hash value (e) satisfying a condition that e = 
H(M) by using a first hash function (H); 

processing means for determining for a numerical value (x) obtained from translation of a random number a 
second hash value (r) satisfying a condition that r « h(x) by using a second hash function (h) whose output 
value is shorter than that of said first hash function (H); and 

arithmetic/output means for arithmetically determining and outputting said digital signature by using said first 
hash value (e) and said second hash value (r) as determined. 

13. A digital signature generating system according to daim 12. 

wherein for generating a digital signature (r^ Si) for a given message (M^). said system comprises: 

means tor detennining a hash value (eO satisfying a condition that Si « H(Mi) by using the first hash function 
(H): 

means for generating a random nunnber (ki); 

means for determining a point (Ri (« kiP)) by multiplying a point (P) of the abelian group by said random 

number (ki); 

means tor determining a first numerical value (r^) satisfying a condition that r^ » h(R^) by using the second 

hash function (h) whose output value is shorter than that of said first hash function (H); 

means for determining a second numerical value (Si) satisfying a condition that s^ ■ ^ di (e^ ^ r^) (mod n) 

by using order (n) of said point (P) of the abelian group and a private key (di): and 

means tor outputting a set of said detenrnned numerical values (r^, s<|) as a digital signature. 

14. A digital signature verifying system according to claim 13. 

wherein said abelian group corresponds to an elliptic curve. 

1 5. A digital signature verifying system for verifying a digital signature authenticating electronically a signature affixed 
to a given message (M) by resorting to a public key encryption scheme, comprising: 

first arithmetic means tor detenrtining tor said given message (M) a first hash value (e) satisfying a condition 
that e s H(M) by using a first hash function (H): 

second arithmetic means coupled to said first arithmetic means for determining for a numerical value (x) 
obtained from arithmetic operation of an inputted digital signature (r. s). a public key (Q) and a base point (P) 
a second hash value (r*) satisfying a condition that f « h(x) from sakj first hash value (e). said digital signature 
(r, s), said base point (P) and sato public key (Q) by using a second hash function (h) whose output value is 
shorter than that of said first hash function (H): arvl 

verification result output means coupled to said first and second arithmetic means for comparing said hash 
value (r*) with a tally (r) of said inputted digital signature to thereby obtain a result of verification of said inputted 

digital signature. 

16. A digital signature verifying system according to claim 15. 

wherein for verifying a digital signature (r^ S|) of a given message (M^), said system comprises: 



18 



EP0840478A2 

means tor determining a hash value (e^) safisfyins a oondWon that ei • H(MO; 

means for irputting a public key {Qi) generated pranously go as to eaSisff a condition • d^R where d, rep- 
resents a private key. said piisiic key (Qi) having been registered; 

means for determining arithmetically a point (Ri) of an abelian group, said point (R,) being given by Ri « SiP 

•(ei + ri)Qi; 

means for determining a hash value (rO satisfying a condition that r,' • h(Ri): 

means for outputting a data incficating that said dgital signature Is authenticated, when sakJ hash value (r^') 
coincides with a tally (rO of sakf digital signature; and 

means for outputting data indteating that said digital signature is not authenticated unless said hash value (t{) 
coincides with said tally (ri) of said digital signature. 

17. A digital signature verifying system according to daim 16, 

wherein said abelian group includes an elliptic curva 

1 8. A digital signature generating system for generating a nultiple digital signature authenticating electronically signa- 
tures affixed to message and/or comments (Mi) as aeated and/or added sequentialiy by N users' units i (where 1 = 
1 , .... N) by using a public key encryption scheme, oonprising: 

first processing means for detennining for a given one of saU messages (Mj) a first hash value {e^) satisfying a 
condition that e « H(Mi) by using a first hash function (H); 

second processing means for determining for a numaical value (xj obtained from translation of a random 
number a second hash value (rj satisfying a condition that n « h(Xi) by using a second hash function (h) whose 
Output value is shorter than that of sakf first hash function (H); 

third processing means for executing the processings of said first and second processing means for each of 
said users' units i (where i > 1 N); and 

arithmetic/output means for determining arithmetically saki multiple digital signature on the basis of said hash 
values (ej and rO determined by ead third processing means. 

1 9. A multiple digital signature generating system according to daim 18, 

wherein for generating said multiple digital signature, each of sakf users' units 10^2) includes: 

means for inputting said set of numerical values (x^^ . Y^.\) obtained from the translation of random numbers; 
means for computing a hash value given by a, « H(Mi); 

means for generating a random number kj; means for computing a point given tiy kjP « 

(X. y); 

means for computing a point given by (Xj. yj) ■ (Xi.i , y^) + (x. y): 
means for computing a hash value given by r{ • h(Xi) 

means for detennining by using a private key (dj a numerical value (6|) satisfying a condition given by 



Sf s S;.i + + d, (Bf ^ 2 r^) (mod n) ; 



and 

means for outputting a set of detemnined numerical values (r^ rj. Sg) as the digital signature. 

20. A diglta) signature verifying system for verifying a multiple digital signature authenticating electronically signatures 
affixed to messages and/or comments (MJ as created and/or added sequentially by N users's unit i (where i « 1 , 
.... N) by resorting to a public key encryption scheme, comprising: 

first arithmetic means for detenmining for the inputted message (Mj) a first hash value (e^) satisfying a condition 
that e; s H(Mi) by using a first hash function (H); 

second arithmetic means for determining for a numerical value (X|) ot>tained by arithmetic operation of the 
inputted nrujttipte digital signature (r|. Sj), a pibWc key (Q) and a base point (P). a second hash value (r^ satis- 
fying a condition that r- e h(Xi) on the basis of said first hash value (e^). said digital signature (rj. s^), said base 
point (P) and said public key (Q) by using a second hash function (h) whose output value is shorter than that 
of said first hash function (H); 
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processing means tor executing repetitionafiy the otlhmelic operation of said first and second arithmetic 
means tor each of said users's units i (where i represents integers T to "W inclusive, respectively) ; and 
verifying means for conrparing each of said hash values (r{) determined by said processing means with each 
of tallies (r) of said iiputted multiple digital signature to thereby obtain results of verification of said inputted dig- 
ital signature. 

21 . A multiple digital signature verifying system according to daim 20. 

wherein tor authenticating a multiple cfigltal signature by users* units i (I ^ 2), each of sard users' units 
includes: 

means for inputting (i - 1) messages and/or comments (Mi M^) and (i - 1)-tuple digital signature (r^ 

^ , issued by an immediately preceding user's units 0-1); 

means tor repeating co m put a tio n of hash values Ok - H(MtJ, where |s represmts 1 to 0 - 1 ): 
means tor inputting repetitionally public keys 0^ generated so as to satisfy a condition that 0^ « d^P and reg- 
istered previously, where Is represents 1 to fi • 1); 
means tor computing a pant (FVi) of an abelian group in accordance with 

{«m)-«M L 'n) Q/r: 



means tor computing hash values r^.^* » h (R^i); 

means for issuing data indcating that said muttipie digital signature is authenticated when said hash value (r|. 
0 coincides with a tally [v^.^) of said (i - Ihtuple digitai signature (i.e.. when ri.^ - v^^), while issuing data indi- 
cating that said muttipie digital signature is not-authenticated unless said hash value {t^^') coincides with said 
tally (ri.i)(i.e., ¥ifhen r^V^r^). 

22. A digitai signature verifying system according to daim 21 , 

wherein said abelian group includes an elliptic curve. 

23. A computer-readat>le recording medium for storing a program which is composed of instructions executed by a 
computer and which is for carrying out a method for generating a digital signature authenticating electronically a 
signature affixed to a given message (M) by resorting to a public key encryption scheme, said digital signature gen- 
erating method comprising the steps of: 

determining for said message (M) a f rst hash value (e) satisfyng a condition that e ■ H(M) by using a first hash 
function (H); 

determining for a numerical value (x) obtained from translation of a random rumber a second hash value (r) 
satisfying a condition that r « h(x) by using a second hash function (h) whose output value is shorter than that 
of said first hash function (H): and 

arithmetically determining and outputting said digital signature by using said first hash value (e) and said sec- 
ond hash value (r) as detemiined. 

24. A computer-readable recording medium for storing a program which is conrposed of instructions executed by a 
computer and which is for carrying out a method tor verifying a digital signature authenticating electronically a sig- 
nature affixed to a given message (M) by resorting to a public key encryption scheme, said digital signature gener- 
ating method comprising the steps of: 

determining tor a numerical value (x) obtained from arithmetic operation of an inputted digital signature (r. s), 
a public key (Q) and a base point (P), a second hash value (r*) satisfying a condition that r' e h(x) on the basis 
of said first hash value (e). said digital signature (r. s), said base point (P) and said public key (Q) by using a 
second hash tonction (h) whose ouput value is shorter than that of said first hash function (H); and 
conrparing said hash value (r*) with a tally (r) of said inputted digital signature to thereby obtain a result of ver- 
ification of said inputted digital signature. 

25. A method of generating and verifying a digital signature using a public key encryption scheme in a system in which 
a digital signature is generated by a given one computer and transmitted via a network to another computer to be 
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verified thereby. 

tor generating a digital signature (r^ s,) for a given message (M^ by said given one computer, 
determining a hash value (ei) satisfying a condition that e^ - H(Mi) by using a first hash function (H); 
generating a random narrtef (k^); 

detemiining a point (Ri (- kiP)) by nwttiplying a point (P) of an abelian group by said random number (k,) : 
determining a first numerical value (r^ satisfying a condition that r, - h(Rt) by using a second hash function 
(h) whose output value is shorter than that of said first hash function (H); 

determining a second numerical value (Sj) satisfying a condition that s^ - k^ + d^ (e^ + r,) (mod n) on the basis 
of the order (n) of said poirt (P) rf saU abdiff) groip and a private key (di); ^ 

sending a set of said determined numerical values fri. Si) as a digital signature to said another computer via 
said network; and 

for verifying said digital signature (ri , Si) by said another computer, 

fetching said digital signature (r, . s^) sent from said given one computer, a base point (P). a public key (Q) and 
order (n) from a public f9e: 

determining a hash value (e^) satisfying a condition that ei > H(Mi); 

inputting a public key (Qi) generated previously so as to satisfy a condition - diP. ¥vhere d, represents a 
private key; 

detemiining arithmetically a point (Ri) of an abefian group. Mkl point (R i) being given by Ri = s^P - (e, + 

ri)Qi: 

determining a hash value (rO satisfying a concfition that r^' « h(Ri); 

outputting a data indicating that saki dgital signature is authenticated, when saki hash value (r)*) coincides 
with a tally (r) of sakj digital signature; and 

outputting data indicating that said digital signature is not authenticated unless ssM hash value (r^*) coincides 
with said tally (r^ of said digital signature. 
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FIG. I 
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FIG. 2A 



USER A's 1003 
COMPUTER f 

KEY GENERATING 



X 



1011 



^1012 ^1013 


RANDOM NUMBER 

GENERATING 

FUNCTION 




SCALAR 

MULTIPLICATION 
ON ELLIPTIC 
CURVE (E) 


QA=dAP 









PRIVATE 
KEY (dA) 



S 



PUBLIC 
KEY (Qa) 



1014 
1015 



DIGfTAL SIGNATURE GENERATING 
/-lO'P FUNCTION MODULE 



1033 



MESSAGE 
(M) 



1017 



PRIVATE 
KEY (dA) 



HASH 

FUNCTION (H) 



1028^ 
HASH 
VALUE (e) 



RANDOM NUMBER 

GENERATING 

FUNCTION 

1029--^ 



1032 



1018 



BASE 
POINT (P) 



SCALAR 1030 
MULTIPLICATION .T '^"^^ 
ON ELLIPTIC 
CURVE (E) 



(x,v)=lcPi 



r=h(x) 



s=lc+dA(e+r) (mod n) 



T 



r 



1031 



1019 



DIGITAL 
SIGNATURE 



1001 



USER B's 
COMPUTER 




SYSTEM manager's COMPUTER 



PUBLIC 



ELLIPTIC 
CURVE (E) 



FILE/^IOOS ;^1007 j-10 08 



BASE 
POINT (P) 



USER NAME (A) 



ORDER (n) 



PUBLIC KEY (Qa) 



1002 



r 



1005 



1009 



1010 



1007B 



BASE POINT (P) 



1020 



PUBLIC 
KEY (Qa) 



DIGITAL 
SIGNATURE 

(r,s) 



MESSAGE (M) 

^1022 



1024 



J-- 1023 



SCALAR 

MULTIPLICATION 
ON EU.IPTIC 
CURVE (E) 
AND ADDITION 



(x,y)=sP-(e+r)QA 



1021 



/-1 025 



HASH FUNCTION (H) 




HASH 
VALUE (e) 



DIGITAL 

SIGNATURE 

VERIFYING 

FUNCTION 

MODULE 



1027 



AUTHENTICATED 
NOT 

ALTTHENTICATED 



23 



EP0840478A2 



FIG. 2B 



START 




201 



INPUT OF MESSAGE (Ml ), / ^ 202 

INPUT OF PRIVATE KEY (dl ) AND/ ^ 
INPUT OF BASE POINT (P) 



I 




GENERATE RANDOM NUMBER (ki ) 

OFjHBrre 

I 



COMPUTE 
(xi,yi)=kiP 

I 



COMPUTE 
n=h (xi ) 

I 



COMPUTE 
ei=H (Ml) 



COMPUTE 
si*=ki+di (ei+n) (mod n) 



OUTPUT OF VALUE OF 
(r),si) 




209 



END 



203 



204 



205 



206 



207 



208 



24. 



EP0840478A2 



FIG. 3 



START 




301 



RECEPTION OF MESSAGE (Ml )^ND 
RECEPTION OF SIGNATURE (n^i 



302 



INPUT OF BASE POINT (P)^ND 
INPUT OF PUBLIC KEY (Qi ' 



303 



COMPUTE 
ei=H (Ml) 



COMPUTE 
(xi,yi)=siP— (ei+ri)Qi 





COMPUTE 






rj'=h (xj) 




307^ JL 



304 



305 



306 



308 





310 



OUTPUT OF 
"AUTHENTICATED' 



OUTPUT OF 
'NOT AUTHENTICATED' 



309 



/ OUTPUT OF / 




J FIRST ELLIPTIC POINT / 




7 (x„V,) / 




31 U ^ 










END 



25 



EP 0 840 478 A2 



FIG. 4 



START 




401 



INPUT OF MESSAGE (M2), 
INPUT OF PRIVATE KEY(d2),AND 
INPUT OF BASE POINT (P) 



402 



INPUT OF FIRST ELLIPTIC 
POINT (xi,yi) 



403 



GENERATE RANDOM NUMBER (k 2) 
OF IH BITS 



I 



COMPUTE 
(x,y)=k2P 



COMPUTE 
(x2,y2) = (xi,yi ) + (x,y) 



COMPUTE 
r2=h (x2) 



COMPUTE 
e2=H (M2) 



COMPUTE 
S2=si+k2+d2 (e24-ri4-r2) (mod n) 



OUTPUT OF VALUE OF 
MULTIPLE SIGNATURE 
(ri,r2,S2) 





404 



405 



406 



407 



408 



409 



410 



411 



END 



26 



EP0840478A2 



FIG. 5 




START 



501 



RECEPTION OF MESSAGE (MlJ 
RECEPTION OF SIGNATURE (n 



L 



502 



INPUT OF BASE POINT (P)^ND 
INPUT OF PUBLIC KEY (Qi 



^andTt 



503 



COMPUTE 
ei«H (Ml) 



COMPUTE 
e2=H(M2) 



^504 
505 



COMPUTE 

(x2,y2)=S2P— (ei+r|) Gi— (e2H-ri+r2) Q2 



509 



COMPUTE 
r2'=h(x2) 


508^ 










^NO 




|YES 





507 



506 



511 



OUTPUT OF 
'AUTHENTICATED" 



OUTPUT OF 
'NOT AUTHENTICATED" 



510 



OUTPUT OF 
SECOND ELLIPTIC POINT 

(X2,Y2) 




27 



EP 0 840 478 A2 



FIG. 6 



613 



614 



612 



USER C's ISSUED 
DOCUMENT 



^IJUSER A's CREATED 
DOCUMENT (Ml) 



USER B's 
COMMENT (M 2) 



USER A's AND B's 
SIGNATURE 
(ri,r2,S2) 



USER C's 
COMMENT (M3) 



USER A's B's 
AND C's SIGNATURE 
(ri,r2,r3,S3) 



603 



602 
.601 



108 
604 

122 
123 
124 

605 



AL2' 



AL3 



BASE 
POINT (P) 



PUBLIC 
KEY (Qi) 



PUBLIC 
KEY (Qz) 



PRIVATE 
KEY (d3) 



USER C's 

PERSONAL 

COMPUTER 




USER B'3 
PERSONAL 
COMPUTER 



104 



607 



608 
609 
610 
611 



AL3' 



BASE 
POINT (P) 



PUBLIC 
KEY (Qi) 



PUBLIC 
KEY (02) 



PUBLIC 
KEY (O3) 



USER D's 

PERSONAL 

COMPUTER 



606 



NETWORK 



103 




USER A' 3 
PERSONAL 
COMPUTER 



28 



EP0840478A2 



FIG. 7 



START 




701 



INPUT OF MESSAGE (M 3), • 7 
INPUT OF PRIVATE KEY(d3), \ ^ 
INPUT OF BASE POINT (P)^ND U 
INPUT OF DUPLE DIGITAL / 
SIGNATURE (ri,r2,S2) \ 



702 



INPUT OF SECOND 
ELLIPTIC POINT 

(X2,V2) 




703 



GENERATE RANDOM NUMBER (k a) r 
OF iH BITS ^ 



I 



COMPUTE 

(x.y)=k3P 



I 



COMPUTE 
(x3,y3) = (x2,y 2)+ (x,y) 



COMPUTE 
r3=h (xs) 



COMPUTE 
e3=H (M3) 



J' 



704 
705 

706 
707 

708 



COMPUTE 

S3=S2+k3+d3 (e2+ri+r2+r3) (mod n) 



I 



709 



OUTPUT OF 
MULTIPLE SIGNATURE 
(ri,r2,r3,S3) 





710 



711 



END 



29 



EP0840478A2 




RECEPTION OF MESSAGE (Ml,M2,M3) 
AND RECEPTION OF SIGNATURES 
(ri.r2/3,S3) 




802 



INPUT OF BASE POINT (P), 
INPUT OF PUBLIC KEY 
(01,02,03) 




803 



COMPUTE 
ei=H (Ml) 



COMPUTE 
e2=H (Mz) 



804 
805 





COMPUTE 
e^=H (M3) 


^ ouo . 

^807 








COMPUTE 

(x3,y3 ) =S3P— (ei +r y ) Qi— (e2+ri +r 2) 02- 


(e3H-ri+r2+r3)Q3 



810 



COMPUTE 
r3'='h(x3) 


809^ 




_ NO 








ITyes 





808 



OUTPUT OF 
AUTHENTICATED" 



OUTPUT OF 
THIRD ELLIPTIC POINT 
(X3,y3) 




812 



OUTPUT OF 
'NOT AUTHENTICATED' 




30 



EP0 840478A2 

BEST AVAILABLE COPY 

F I G. 9 PR'OR ART 



USER A's 
COMPUTER 



1003 



KEY GENERATING 
FUNCTION MODULE 



'1012 



1011 



RANDOM NUMBER 

GENERATING 

FUNCTION 



dA 



f ^1 013 



SCALAR 

MULTIPLICATION 
ON ELLIPTIC 
CURVE (E) 



QA=dAP 



PRIVATE 
KEY (dA) 



PUBLIC 
KEY (Qa) 



DIGITAL SIGNATURE GENERATING 

J- 101 6 FUNCTION MODULE 



1033 



MESSAGE 

(M) 



1017 



PRIVATE 
KEY (dA) 



HASH 

FUNCTION (H) 

s\ 



1028 



HASH ^ ^ 
VALUE (») 



RANDOM NUMBER 

GENERATING 

FUNCTION 

1029-^ 



1032 



1014 
[^1015 

^1018 



BASE 

POINT (P) 



SCAUR 

MULTIPLICATION 
ON ELLIPTIC 
. CURVE (E ) 

(x. v)«kPl 



* j f »x-t-B (mod n) 



s=k— dAT 



1^ 1030 
1031 

1019 



V 



DIGITAL 
SIGNATURE 



1001 




SYSTEM manager's COMPUTER 



PUBLIC FI LE/- ^OOSj^^OOy 1 008 



ELLIPTIC 
CURVE (E) 



BASE 
POINT (P) 



Lr 



USER B's 
COMPUTER 



USER NAME (A) 



ORDER (n) 



PUBLIC KEY (Oa) 



1009 



1002 



1005 



1010 



1007B 



BASE POINT P 
(SYSTEM KEY) 



1020 



PUBLIC 
KEY (Qa) 



digital 

SIGNATURE fflv 

(r.s) ^ 



MESSAGE (M) 



1022 



1024 



j^1023 



SCAUR 

MULTIPLICATION 
ON ELLIPTIC 
CURVE (E) 
AND ADDITION 



HASH 
1021 VALUE (e) 



rio25 



HASH FUNCTION (H) -I 




DIGITAL 

SIGNATURE 

VERIFYING 

FUNCTION 

MODULE 



1027 



AUTHENTICATED 
NOT 

AUTHENTICATED 



31 



This Page is Inserted by IFW Indexing and Scanning 
Operations and is not part of the Official Record 



Defective images within this ddcimient are accurate representations of the original 
documents submitted by the applicant. 

Defects in the images include but are not limited to the items checked: 

□ black BORDERS 

□ IMAGE CUT OFF AT TOP, BOTTOM OR SmES 

□ FADED TEXT OR DRAWING 



□ SKEWED/SLANTED IMAGES 

□ COLOR OR BLACK AND WHITE PHOTOGRAPHS 

□ GRAY SCALE DOCUMENTS 

□ LINES OR MARKS ON ORIGINAL DOCUMENT 

□ R£FERENCE(S) OR EXHIBIT(S) SUBMITTED ARE POOR QUALITY 

□ OTHER: ' 

IMAGES ARE BEST AVAILABLE COPY. 
As rescanning these documents will not correct the image 
problems checked, please do not report these problems to 
the IFW Image Problem Mailbox. 



BEST AVAILABLE IMAGES 




ILURRED OR ILLEGIBLE TEXT OR DRAWING 



